[Newsclips] IETF SYN-ACK Newspack 2024-03-18

[David Goldstein <david@goldsteinreport.com>]

The IETF SYN-ACK Newspack collects IETF-related items from a variety of news outlets and other online publications. They do not represent the views of the IETF and are not checked for factual accuracy.

 

**********************

IETF IN THE NEWS

**********************

Digital Sovereignty and Internet Standards

There is a view that Internet standards, and the IETF in particular, are at the centre of many corporate and national strategies to exert broad influence and shape the internet to match their own preferred image. This view asserts that standards have become the most important component of the Internet’s infrastructure. Due to their economic and strategic importance, the process of creation of internet standards are inevitably subject to the intense economic and political tensions between diverse world views. There are, naturally, other views, along the lines that the IETF does little other than reflect the more general pressures and directions being taken by industry actors, and has no ability to exert any leadership role in this space.

< <https://www.potaroo.net/ispcol/2024-03/sovreignity.html> https://www.potaroo.net/ispcol/2024-03/sovreignity.html>

< <https://circleid.com/posts/20240314-digital-sovereignty-and-internet-standards> https://circleid.com/posts/20240314-digital-sovereignty-and-internet-standards>

 

Improving Regional Internet Registry Alignment in the RPKI Space

As a result of the Number Resource Organization (NRO) Strategic Review Process, which started in 2022, the NRO agreed to work toward providing a robust, coordinated, and secure Resource Public Key Infrastructure (RPKI) service as one of its main priorities. ... Find us at Internet events. A cohort of RPKI Steering Group members, as well as myself, will be attending the IETF 119 meeting in Brisbane, Australia. Please say hello if you see us there!

< <https://www.arin.net/blog/2024/03/11/improving-rir-alignment-rpki/> https://www.arin.net/blog/2024/03/11/improving-rir-alignment-rpki/>

< <https://blog.apnic.net/2024/03/11/improving-regional-internet-registry-alignment-in-the-rpki-space/> https://blog.apnic.net/2024/03/11/improving-regional-internet-registry-alignment-in-the-rpki-space/>

< <https://labs.ripe.net/author/sofia_silva_berenguer/improving-rir-alignment-in-the-rpki-space/> https://labs.ripe.net/author/sofia_silva_berenguer/improving-rir-alignment-in-the-rpki-space/>

 

Google's Post-Quantum Upgrade Doesn't Mean We're All Protected Yet

... This all gets more complex when we consider that the TLS protocol, within which Google has added Kyber on a bespoke basis, is managed by the IETF. IETF hasn't yet ratified a standard way for companies to add post-quantum algorithms as part of TLS, which also needs to happen for any widespread adoption to take place.

< <https://www.darkreading.com/cloud-security/google-s-post-quantum-upgrade-doesn-t-mean-we-re-all-protected-yet> https://www.darkreading.com/cloud-security/google-s-post-quantum-upgrade-doesn-t-mean-we-re-all-protected-yet>

 

A Landmark Standards Human Rights Judgment

On 5 March 2024, the Grand Chamber of the European Court of Human Rights handed down a landmark judgment that was years in the making. ... Commentary: Although the Court’s judgement was necessarily directed at the European Commission, the losing party was the Belgium-based, private joint legacy standards body known as CEN/CENELEC that “brings together National Standardization Bodies of 34 European countries” that participate in ISO and IEC. It has enjoyed a de facto monopoly to repackage ISO/IEC standards as European normative standards and sell them for enormous prices. The practices have been abusive in the cybersecurity sector. ... There are many reasons for this shift that go beyond the human right of access that was the basis for the decision. ... ifth – as recently noted within the IETF—the inability for open scrutiny of the standards introduces potentially significant vulnerabilities. It is not apparent that CEN/CLC/ISO/IEC themselves even have vulnerability disclosure policies.

< <https://circleid.com/posts/20240314-a-landmark-standards-human-rights-judgment> https://circleid.com/posts/20240314-a-landmark-standards-human-rights-judgment>

 

NIST National Vulnerability Database Disruption Sees CVE Enrichment on Hold

... According to Hughes, there have previously been discussions within NVD stakeholder circles about replacing CPE. Such a replacement could be Software Identification (SWID) tags, a software tagging standard supported by both the Trusted Computing Group (TCG) and the IETF.

< <https://www.infosecurity-magazine.com/news/nist-vulnerability-database/> https://www.infosecurity-magazine.com/news/nist-vulnerability-database/>

 

Why financial institutions must move quicker on quantum

... For example, IETF recently created a new VPN standard that helps specify how VPNs can exchange communications securely in the quantum age. The novel approach prioritises interoperability by making it possible for multiple post-quantum and classical encryption algorithms to be incorporated into VPNs, ensuring no disruption to the functioning of existing IT systems, and protecting data from attack by both classical and quantum computers.

< <https://www.finextra.com/the-long-read/973/why-financial-institutions-must-move-quicker-on-quantum> https://www.finextra.com/the-long-read/973/why-financial-institutions-must-move-quicker-on-quantum>

 

Device Onboarding using FDO and the Untrusted Installer Model

... FDO data formats are built on several IETF standards. FDO messages and data objects (including the ownership voucher) are encoded using the Concise Binary Object Representation (CBOR) format.2 Digital signatures use the CBOR Object Signing and Encryption (COSE) format10 or the Entity Attestation Token (EAT).

< <https://cacm.acm.org/practice/device-onboarding-using-fdo-and-the-untrusted-installer-model/> https://cacm.acm.org/practice/device-onboarding-using-fdo-and-the-untrusted-installer-model/>

 

The only thing holding back Google's Find My Device network now is Apple

... It’s for this reason that Google in late July announced that it was delaying the launch of the Find My Device network. Google said that it would be “working in partnership with Apple to help finalize the joint unwanted tracker alert specification by the end of this year.” The specification in question is Detecting Unwanted Location Trackers (DULT), which is currently undergoing a lengthy and extensive process set forth by the IETF to become an Internet standard.

< <https://www.androidpolice.com/find-my-device-network-held-back-apple/> https://www.androidpolice.com/find-my-device-network-held-back-apple/>

 

Judge: Apple Must Answer to AirTag Stalking Concerns

... Last year, Google and Apple, announced that they were jointly submitting a proposal meant to help the industry deal with unwanted tracking. The industry-wide specification was a draft and was submitted via the IETF.

< <https://techweez.com/2024/03/17/apple-airtag-stalking-lawsuit/> https://techweez.com/2024/03/17/apple-airtag-stalking-lawsuit/>

 

Mejorar la coherencia de los Registros Regionales de Internet en el espacio de RPKI [Improve the coherence of Regional Internet Records in the RPKI space]

Como resultado del proceso de revisión estratégica de la Organización de Recursos Numéricos (NRO) que comenzó en 2022, la NRO acordó trabajar para ofrecer un servicio de Infraestructura de Clave Pública de Recursos (RPKI) sólido, coordinado y seguro como una de sus principales prioridades. ... Encuéntranos en los eventos de Internet. Muchos miembros del Grupo Directivo de RPKI —y también yo personalmente— asistiremos a la reunión del IETF 119 en Brisbane, Australia. Si nos ves, no dudes en saludarnos.

< <https://blog.lacnic.net/enrutamiento/mejorar-la-coherencia-de-los-registros-regionales-de-internet-en-el-espacio-de-rpki> https://blog.lacnic.net/enrutamiento/mejorar-la-coherencia-de-los-registros-regionales-de-internet-en-el-espacio-de-rpki>

 

**********************

IETF COMMUNITY NOTES

**********************

New working group aims to make spotting unwanted trackers easier

Location-tracking accessories provide numerous benefits to users, such as being able to find where they left their keys. But they can also have security and privacy implications if used for malicious purposes. A newly formed IETF working group has taken on the task to standardize a protocol that protects people against being unknowingly tracked.

< <https://www.ietf.org/blog/dult-wg/> https://www.ietf.org/blog/dult-wg/>

 

New Internet Architecture Board, IETF Trust, IETF LLC and IETF Leadership Announced

Members of the incoming Internet Architecture Board (IAB), the IETF Trust, the IETF Administration LLC (IETF LLC) Board of Directors, and the Internet Engineering Steering Group (IESG)—which provides leadership for the IETF—have been officially announced, with new members selected by the 2023-2024 IETF Nominating Committee.

< <https://www.ietf.org/blog/nomcom-announcement-2024/> https://www.ietf.org/blog/nomcom-announcement-2024/>

 

**********************

SECURITY & PRIVACY

**********************

KeyTrap!

Yet another DNS vulnerability has been exposed. The language of the press release revealing the vulnerabil;ity is certainly dramatic, with "devasting consequences" and the threat to "completely disable large parts of the worldwide Internet."" If this is really so devastating then perhaps we should look at this in a little more detail to see what’s going on, how this vulnerability works, and what the response has been.

< <https://www.potaroo.net/ispcol/2024-03/keytrap.html> https://www.potaroo.net/ispcol/2024-03/keytrap.html>

< <https://blog.apnic.net/2024/03/12/keytrap/> https://blog.apnic.net/2024/03/12/keytrap/>

 

eu: Cyber Resilience Act: MEPs adopt plans to boost security of digital products 

On Tuesday, Parliament approved new cyber resilience standards to protect all digital products in the EU from cyber threats.

< <https://www.europarl.europa.eu/news/en/press-room/20240308IPR18991/cyber-resilience-act-meps-adopt-plans-to-boost-security-of-digital-products> https://www.europarl.europa.eu/news/en/press-room/20240308IPR18991/cyber-resilience-act-meps-adopt-plans-to-boost-security-of-digital-products>

 

us: FCC Creates Voluntary Cybersecurity Labeling Program For Smart Products

The Federal Communications Commission today voted to create a voluntary cybersecurity labeling program for wireless consumer Internet of Things products. Under the program, qualifying consumer smart products that meet robust cybersecurity standards will bear a label—including a new “U.S Cyber Trust Mark”—that will help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.

< <https://www.fcc.gov/document/fcc-adopts-rules-iot-cybersecurity-labeling-program> https://www.fcc.gov/document/fcc-adopts-rules-iot-cybersecurity-labeling-program>

 

Why Are Large AI Models Being Red Teamed? Intelligent systems demand more than just repurposed cybersecurity tools

In February, OpenAI announced the arrival of Sora, a stunning “text-to-video” tool. Simply enter a prompt, and Sora generates a realistic video within seconds. But it wasn’t immediately available to the public. Some of the delay is because OpenAI reportedly has a set of experts called a red team who, the company has said, will probe the model to understand its capacity for deepfake videos, misinformation, bias, and hateful content.

< <https://spectrum.ieee.org/red-team-ai-llms> https://spectrum.ieee.org/red-team-ai-llms>

 

Verify MANRS Compliance Automatically with ROSE-T

Hygienic routing is critical for securing the Internet. MANRS helps mitigate the most common routing threats by encouraging organizations to adhere to a set of best practices and guidelines, and proposes specific actions in four programs: Network Operators, Internet Exchange Points, CDNs and Cloud Providers, and Equipment Vendors. In this post, we will focus on the Network Operators’ actions — Coordination, Global Information, Anti-Spoofing, and Filtering — and how we have developed a first-of-its-kind open-source tool to verify MANRS compliance automatically.

< <https://manrs.org/2024/03/verify-manrs-compliance-automatically-with-rose-t/> https://manrs.org/2024/03/verify-manrs-compliance-automatically-with-rose-t/>

 

**********************

NEW TRANSPORT PROTOCOLS

**********************

DNS MTTRS: Overcome the Challenges of Evolving Encrypted DNS Protocols!

... QUIC: Solving DNS Encryption Challenges: In response to the challenges posed by traditional encrypted DNS solutions, a new protocol emerged: Quick UDP Internet Connections (QUIC). Unlike conventional solutions, QUIC operates over UDP and integrates TLS 1.3 encryption, promising improved performance for web applications by establishing multiple multiplexed connections between endpoints. And for encrypted DNS, QUIC offers two options: DNS-over-QUIC (DoQ) and DNS-over-HTTP/3 (DoH3), each with unique advantages and port assignments.

< <https://blogs.infoblox.com/community/dns-mttrs-overcome-the-challenges-of-evolving-encrypted-dns-protocols/> https://blogs.infoblox.com/community/dns-mttrs-overcome-the-challenges-of-evolving-encrypted-dns-protocols/>

 

**********************

OTHERWISE NOTEWORTHY

**********************

Consultation: Narratives to Deploy Internet Standards

DC-IS3C (Internet Standards, Security and Safety Coalition) invites you to participate in a public consultation on how to persuade workplaces to deploy the security-related Internet standards DNSSEC and RPKI. IS3C experts have worked on an alternative narrative for employees' use. Please share your views and experience, so IS3C can present the strongest and most convincing arguments possible. The consultation runs until 5 April.

< <https://intgovforum.org/en/content/consultation-narratives-to-deploy-internet-standards> https://intgovforum.org/en/content/consultation-narratives-to-deploy-internet-standards>

 

Adding IPv6-only to DNS and UDP Truncation

In February I looked at the behaviour of the DNS when processing responses in UDP which set the Truncated flag in the DNS response. In particular, I was looking for the incidence of DNS resolvers which used the Answer section in truncated responses (despite the admonition in DNS standards not to do so) and the extent to which there are DNS resolvers out there that are incapable of using DNS over TCP. This month I’ll report on a repeat of this experiment using a test environment where only IPv6 can be used.

< <https://www.potaroo.net/ispcol/2024-03/truncation-v6.html> https://www.potaroo.net/ispcol/2024-03/truncation-v6.html>

< <https://blog.apnic.net/2024/03/14/ipv6-dns-and-truncation-in-udp/> https://blog.apnic.net/2024/03/14/ipv6-dns-and-truncation-in-udp/>

 

NTP Pool: The Internet timekeeper

Ancient Romans relied on sundials and water clocks to keep track of time. Keeping track of time is one thing; accurately transferring this information is another. In ancient Rome, you would have to walk up to a sundial or water clock to know what time it was — if you could find one.

< <https://www.sidnlabs.nl/en/news-and-blogs/ntp-pool-the-internet-timekeeper> https://www.sidnlabs.nl/en/news-and-blogs/ntp-pool-the-internet-timekeeper>

< <https://labs.ripe.net/author/giovane_moura/ntp-pool-the-internet-timekeeper/> https://labs.ripe.net/author/giovane_moura/ntp-pool-the-internet-timekeeper/>

< <https://blog.apnic.net/2024/03/15/ntp-pool-the-internet-timekeeper/> https://blog.apnic.net/2024/03/15/ntp-pool-the-internet-timekeeper/>

 

Huawei ‘Imagine Wi-Fi 7’ Innovative Application Contest Launched in Partnership with IEEE UAE Section [news release]

As Wi-Fi becomes an inevitable part of individuals and businesses, the new generation of Wi-Fi promises limitless opportunities for end consumers and businesses. Recognizing the critical role of Wi-Fi in shaping the future, the Institute of Electrical and Electronics Engineers (IEEE) UAE Section and Huawei have joined forces to launch the groundbreaking Huawei ‘Imagine Wi-Fi 7’ Innovative Application Contest. This collaborative initiative invites ICT practitioners across the Middle East and Central Asia (ME&CA) to share innovative ideas and explore the best implementation scenarios for the latest Wi-Fi generation—Wi-Fi 7.

< <https://e.huawei.com/ae/news/2024/ae/huawei-imagine-wi-fi-7-contest-launched-in-partnership-with-ieee> https://e.huawei.com/ae/news/2024/ae/huawei-imagine-wi-fi-7-contest-launched-in-partnership-with-ieee>

 

The Fundamental Flaw at the Heart of the Internet

Tuesday, March 12 marked the 35th anniversary of the World Wide Web. Sir Tim Berners-Lee, the visionary who designed it, now says the web is “perverse,” and doing more harm than good. The way it has evolved, he says, generates dysfunctional incentives that allow a few giant platforms and their all-knowing algorithms to steer human behavior into antisocial, destructive directions.

< <https://time.com/6900256/internet-fix-frank-mccourt/> https://time.com/6900256/internet-fix-frank-mccourt/>

< <https://www.msn.com/en-us/money/other/the-fundamental-flaw-at-the-heart-of-the-internet/ar-BB1jMndw> https://www.msn.com/en-us/money/other/the-fundamental-flaw-at-the-heart-of-the-internet/ar-BB1jMndw>

 

>From a humble beginning 35 years ago, the Web is now central to the daily lives of billions

With those words, the World Wide Web was first proposed on this day 35 years ago by Tim Berners-Lee at CERN. Many inventions and creations often surpass their initial intention and the Web is no exception. The general applicability of the proposed solution to CERN’s problems was quickly apparent as many organizations and systems of people faced similar challenges.

< <https://www.w3.org/blog/2024/from-a-humble-beginning-35-years-ago-the-web-is-now-central-to-the-daily-lives-of-billions/> https://www.w3.org/blog/2024/from-a-humble-beginning-35-years-ago-the-web-is-now-central-to-the-daily-lives-of-billions/>

 

Managing the impact of AI & Machine Learning on the Web

The past few months have seen an avalanche of announcements linked to Artificial Intelligence systems, mostly based on Machine Learning models. These systems are strongly coupled with the Web as a platform: many models are trained from Web content crawled at scale, distributed or surfaced via Web interfaces, and in a number of cases, are used to generate content that gets published on the Web at an unprecedented rate.

< <https://www.w3.org/blog/2024/managing-the-impact-of-ai-machine-learning-on-the-web/> https://www.w3.org/blog/2024/managing-the-impact-of-ai-machine-learning-on-the-web/>

------

David Goldstein

email:  <mailto:david@goldsteinreport.com> david@goldsteinreport.com

web:  <http://goldsteinreport.com/> http://goldsteinreport.com/

Twitter:  <https://twitter.com/goldsteinreport> https://twitter.com/goldsteinreport

phone: +61 418 228 605 - mobile; +61 2 9663 3430 - office/home